DOS got you down?

Sometimes disgruntled individuals wish to "take down" your web site by
flooding it with bogus traffic from Windows PCs they've
compromised, causing your server to deny service to legitimate traffic
because of the increased load on your web server (this is
"DOS"--denial of service).

This document describes a couple of simple, lightweight, and efficient
ways (using mod_rewrite) you as an Apache admin can redirect this
illegitimate traffic elsewhere and keep your site available to regular
requests.

mod_rewrite
is an efficient and flexible Apache module which allows you to perform
URL rewriting dynamically.

Blocking requests based on request characteristics

You can block requests based on certain characteristics by adding this
to your httpd.conf in the appropriate virtualhost section:

The mod_rewrite directives above will block requests that meet the
following three criteria:

have an empty referer

have an empty useragent

request the document root '/'

You should change these to match the characteristics of your
attack. For example, if your attackers have a specific user agent set
(e.g., Mozilla or IE, etc.), you should supply that instead. The net
effect is this:

attacking requests are redirected back to the requesting client
(attacker eats his own dogfood, depending on the client software)

Observations

This has worked for sites being hit at roughly 10 attacking hits per
second without breaking a sweat. I haven't scaled up to test it, but I
imagine it would work for much higher values.

If attacking characteristics are randomized or otherwise not of a
set that can be easily normalized, then this method will be less
useful. Likewise, if the incoming requests are coming in at a rate
higher than your socket or Apache buffers can hold, nothing you can do
at the application layer will help (i.e., you'll need to configure
your network card to drop the attacking packets, or better, have your
upstream ISP stop it at their incoming routers). YMMV.

I load mod_setenvif in my Apache; it might be required to use
mod_rewrite's E=var (e.g., E=nolog:1) capabilities. I haven't
confirmed this. If someone figures this out (e.g., has one Apache built
with and one built without mod_setenvif), let me know.